Microsoft Releases Security Advisory for .LNK Bug Under Attack

Microsoft has issued an advisory about a security vulnerability being used by a Trojan to infect computers. According to security pros, the Trojan is spreading through USB devices.

Microsoft issued an advisory today to address a zero-day vulnerability linked to a Trojan spreading through infected USB devices.
According to Microsoft, the vulnerability at the center of the
reports exists because Windows incorrectly parses shortcuts in a way
that allows malicious code may be executed when the user clicks the
displayed icon of a specially crafted shortcut. This vulnerability is
most likely to be exploited through removable drives.

For systems that have AutoPlay disabled, customers would need to
manually browse to the root folder of the removable disk in order for
the vulnerability to be exploited, Microsoft said. For Windows 7
systems, AutoPlay functionality for removable disks is automatically
disabled.

Security vendor VirusBlokAda reported that a Trojan is using the
vulnerability to propagate through infected USB devices. The malware
uses rootkit functionality to hide itself, the vendor said.
Microsoft said so far it is only seeing limited, targeted attacks exploiting the vulnerability.
Independent security researcher Frank Boldewin reported
finding evidence the malware is targeting Siemens SCADA software,
meaning it could be meant for industrial espionage. An initial analysis
by Symantec also revealed references to software used on SCADA systems,
but the vendor said it is still investigating.
"We're currently investigating this threat, which Symantec detects
as W32.Temphid," said Dave Cowings, senior manager of operations for
Symantec Security Response, told eWEEK. "Based on our initial analysis,
however, we can say that this threat is clearly not something that was
created overnight...Users accessing the USB device only see LNK files
(i.e. links or shortcuts) with legitimate looking icons. When a user
clicks on one of these LNK files, the hidden malicious payload is
triggered into action."
Malware that spreads via USB devices is really a double-edged sword,
Cowings added. On one hand, such devices are often transferred from one
machine to another, but this also requires physical action on the part
of the user.
"This human interaction element may in some cases be a mitigating factor to widespread distribution of such threats," he said.
As a workaround, Microsoft suggested users disable the displaying of
icons. Users can also disable the WebClient Service by following
instructions contained within the advisory.